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The GSMA would like to thank the Information Commissioner for the opportunity to provide 
feedback on the Age appropriate design code (the Code). The GSMA welcomes the 
opportunity to work closely with stakeholders to help shape the Code. 


Mobile Industry’s Commitment to Protecting Children 


The GSMA and its mobile network operator (MNO) members are committed to enabling 
young people to access opportunities through mobile safely and responsibly, while actively 
combatting the misuse of mobile technology to exploit youth. The GSMA recognises that the 
United Nations Convention on the Rights of the Child (UNCRC) sets out the specific rights that 
all children, everywhere, are entitled to in order to survive and thrive, to learn and grow, and 
to reach their full potential. The GSMA welcomes the ICO’s recognition of the benefits 
brought by the UNCRC in its Age appropriate design code. The best interests of the child (Art. 
3, UNCRC) should represent a priority to information society services (ISS) when developing 
and offering services that are appropriate for children. 


In September 2018, the GSMA submitted its first response to the ICO’s call for evidence and 
views on the Age appropriate design code, providing some examples of existing 
frameworks/guidelines for the mobile industry on protection of children’s data, safety, and 
digital empowerment. Those include (not exhaustive): 


- GSMA Mobile Privacy Principles* 

- GSMA Privacy Design Guidelines for Mobile Application Development? 

- Guidelines for Industry on Child Online Protection (GSMA, UNICEF, International 
Telecommunications Unit)? 


- 2018 UNICEF Industry Toolkit on Children’s Online Privacy and Freedom of Expression 
(GSMA as contributor)* 


Further references to the aforementioned guidelines will be made in this response. 
Mobile Industry and Applicability of the Age Appropriate Design Code 


Scope 
The proposed Age Appropriate Design Code specifically focuses on ISS likely to be accessed 
by children. An ISS is defined as ‘any service normally provided for remuneration, at a 


1 GSMA Mobile Privacy Principles, available at: 
https://www.gsma.com/publicpolicy/wpcontent/uploads/2016/02/GSMA2016 Guidelines Mobile Privacy Principles.pdf 


2 GSMA Privacy Design Guidelines for Mobile Applications Development, available at: 


apneni. pdf 
3 Guidelines for Industry on Child Online Protection, available at: https://www.itu.int/dms_pub/itu-s/opb/gen/S-GEN- 


COP.IND-2013-PDF-E.pdf 
4 2018 UNICEF Industry Toolkit on Children’s Online Privacy and Freedom of Expression, available at: 
https://www.unicef.org/csr/files/UNICEF Childrens Online Privacy and Freedom of Expression(1).pdf 
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distance, by electronic means at the individual request of a recipient or service’?. In contrast, 
mobile network operators (MNOs) typically provide electronic communications services 
(ECS), as defined by the European Electronic Communications Code (EECC) (Directive 
2018/1972). MNOs do not commonly host data or have control over content accessed by 
users and do not provide ISS (except for applications to monitor usage, for example). As such, 
the ICO’s Code would not typically apply to MNOs. The GSMA considers this the right 
approach. It is also important to note that whilst many children use mobile phones, MNOs do 
not contractually engage with children. 


The consultation document provides examples of services it proposes to be captured by the 
Code: apps, programs, websites, games or community environments, and connected toys or 
devices with or without a screen. 


Toys or devices are a means to access ISS and are not, in themselves, ISS - the GSMA 
considers this is an important distinction. Where companies offer ISS services that children 
are likely to access [and children can go online and receive them], the GSMA agrees these 
should be captured by the Code. Where companies only provide the means (whether that is 
through a mobile phone, a laptop, a watch, a SIM card or smart TV, etc.) through which 
customers can access ISS, the GSMA considers this falls outside the ISS definition and should 
not be captured in the scope of the Code. The scope of the Code would be hugely expanded 
if companies providing the means to access ISS were to be included; for example, a range of 
vendors - from large department stores to smaller online retailers - would all fall within 
scope. The GSMA and its members believe it would be helpful if the scope of the Code were 
clarified in this regard. 


Children as likely users of ISS 

Moreover, in order to identify which users are children (i.e. ‘market research’ or referring to 
‘current evidence on user behaviour’, as per the Consultation), MNOs would potentially be 
required to collect data that is currently not collected and/or profile users. This would create 
a tension between processing additional information in order to identify a type of data 
subject’? and complying with core privacy principles, such as data minimisation, storage 
limitation, purpose limitation and security obligations. Although this tension was 
acknowledged in the Code, when discussing the process of collecting and reporting data for 
age-verification purposes®, some consultation respondents may suggest certain profiling 


5 See page 11, Age appropriate design code, available at: https://ico.org.uk/media/about-the- 


ico/consultations/2614762/age-appropriate-design-code-for-public-consultation.pdf. 


6 ECS is defined as a service typically provided for remuneration via electronic communications networks, which consists of 
(1) internet access services, (2) interpersonal communications services, or (3) services consisting wholly or mainly in the 
conveyance of signals; See pages 4-5, Directive (EU) 2018/1972 Of the European Parliament and of the Council of 11 
December 2018 establishing the European Electronic Communications Code, available at: https://eur-lex.europa.eu/legal- 
content/EN/TXT/PDF/?uri=CELEX:32018L1972&from=EN 

7 This tension is also reflected in Article 11 GDPR on Identification. While identification of a specific user is different than 
identifying whether a user is a child, the fact remains that data collection and processing should be as narrowly tailored as 
possible in order to achieve a specific purpose. 

8 See page 24, Age Appropriate Design Code, available at https://ico.org.uk/media/about-the- 


ico/consultations/2614762/age-appropriate-design-code-for-public-consultation.pdf. 
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techniques to identify children. Such actions could imply that organisations would need to 
create systems and/or new databases to process or retain information about children, which 
may run counter to children’s own right to privacy (Article 16, UNCRC). Additionally, hosting 
new large databases of children’s information could create a potentially unnecessary breach 
vulnerability. 


GSMA guidelines 

The GSMA has developed Privacy Design Guidelines for Mobile Application Development, 
which aim to articulate GSMA’s Mobile Privacy Principles in functional terms and drive a more 
consistent approach to user privacy across mobile platforms, applications and devices. To the 
extent that an MNO might be involved in offering an ISS likely to be accessed by children, 
these guidelines would apply. In addition, where third parties are involved, for example, in 
the process of creating an application or device on behalf of an MNO”, they should adhere to 
data protection by design and the principle of accountability, ensuring that third parties 
handle data responsibly and in accordance with existing legislation/frameworks. 


The GSMA and its members take the privacy and confidentiality of users’ information (with 
special regard to children) seriously and are committed to the responsible use of data. The 
GSMA continues to work, in partnership with our members and stakeholders such as UNICEF, 
Child Helpline International, Interpol, etc. to support children’s rights online. The GSMA 
thanks the Information Commissioner for this opportunity to respond to the Consultation and 
is available for any specific questions in relations to its response. 


Appendix: 


Mobile Industry Approaches to Safeguarding Children’s Data and Identity Online 


In its questionnaire, the ICO requests examples. Please find below some examples from 
various guidelines/frameworks designed by the GSMA and members that are convergent with 
proposed guidelines of the Age appropriate design code. 


ICO Principle Description 
Best interests of the child The best interests of the child should be a - Introductions for both UNICEF Industry 
primary consideration when you design Toolkit on Children’s Online Privacy and 
and develop online services likely to be Freedom of Expression as well as 
accessed by a child. Guidelines for Industry on Child Online 
Protection recognise the importance of 
the UNCRC. 
Transparency The privacy information you provide to Guidelines for Industry on Child Online 
users, and other published terms, policies Protection (COP) 
and community standards, must be - ‘Applications that are intended for 
concise, prominent and in clear language children and adolescents should...help 
suited to the age of the child. Provide such users to easily understand the 
additional specific ‘bite-sized’ explanations | consequences of installing or using an 
about how you use personal data at the application or service’ (p. 18) 
point that use is activated 
UNICEF Industry Toolkit on Children’s 
Online Privacy and Freedom of Expression 


9 To the extent that mobile operators are developing an application for their own service that is designed for children. 
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- 'Children are informed about their rights 
to privacy and freedom of expression, and 
understand how these rights are affected 
by actions such as data collection, filtering 
and content moderation.’ (p. 10) 

- 'Children can easily access transparent 
reporting mechanisms that are adapted 
for their levels of digital literacy and 
understanding, bearing in mind their age, 
maturity and evolving capacities’ (p. 10) 


ICT Coalition for Children Online: 
‘Provide clear information to users on all 
available report and review procedures.’ 


Policies and community standards 


Default settings 


Data minimisation 


Online tools 


Uphold your own published terms, policies 
and community standards (including but 
not limited to privacy policies, age 
restriction, behaviour rules and content 
policies). 


Settings must be ‘high privacy’ by default 
(unless you can demonstrate a compelling 
reason for a different default setting, 
taking account of the best interests of the 
child). 


Collect and retain only the minimum 
amount of personal data you need to 
provide the elements of your service in 
which a child is actively and knowingly 
engaged. Give children separate choices 
over which elements they wish to activate. 


Provide prominent and accessible tools to 
help children exercise their data 
protection rights and report concerns. 


UNICEF Industry Toolkit on Children’s 
Online Privacy and Freedom of Expression 
- Contains a checklist that can be used to 
ensure companies uphold child safety / 
integration measures in place 


- Annual CSR Reports by MNOs also 
include section on Children 

GSMA Privacy Design Guidelines for 
Mobile Application Development (ON 
Social networking and social media) 

- 'Underage users require more privacy 
protective defaults and other protective 
measures’ (p.15). 

-'It is also about ensuring defaults for 
personal profiles for users under age 18 
are set to private’ (p. 15). 


UNICEF Industry Toolkit on Children’s 


Online Privacy and Freedom of Expression 
- ‘Children’s data are kept to what is 


minimally necessary, and are accurate and 
up to date’ (p. 8) 

- ‘Under the principle of data 
minimisation, data collection on children 
should be limited to what is necessary for 
a specific purpose, such as to provide a 
specific platform, a website, product, 
service or application’ (GDPR, Art 6 (1)(c)) , 
also in Toolkit 


GSMA Privacy Design Guidelines for 
Mobile Application Development 

- ‘Minimise information you collect and 
limit its use...An application must access, 
collect and use only the minimum 
information required’ (p. 5) 


GSMA Privacy Design Guidelines for 


Mobile Applications Development 
-'Give users tools to report problems 


regarding an application: Users must be 
provided with information explaining how 
they can report applications that they 
suspect, or which are found to breach the 
privacy and security of their personal 
information. Procedures should be 
established and maintained to deal with 
such reports and address any 

specific threats and risks’ (p.27) 


- Providing effective avenues for children 
to report infringements/abuse. Notice and 
Takedowns (Guidelines for Industry on 
COP, p. 5) 


